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Abstract. Ong has shown that the modal mu-calculus model checking problem (equiv- 
alently, the alternating parity tree automaton (APT) acceptance problem) of possibly- 
infinite ranked trees generated by order-n recursion schemes is n-EXPTIME complete. 
We consider two subclasses of APT and investigate the complexity of the respective accep- 
tance problems. The main results are that, for APT with a single priority, the problem is 
still n-EXPTIME complete; whereas, for APT with a disjunctive transition function, the 
problem is (n — 1)-EXPTIME complete. This study was motivated by Kobayashi's recent 
work showing that the resource usage verification of functional programs can be reduced 
to the model checking of recursion schemes. As an application, we show that the resource 
usage verification problem is (n — 1)-EXPTIME complete. 



The model checking problem for higher-order recursion schemes has been a topic of active 
research in recent years (for motivation as to why the problem is interesting, see e.g. the 
introduction of Ong's paper [IS]). This paper studies the complexity of the problem with 
respect to certain fragments of the modal //-calculus. A higher-order recursion scheme 
(recursion scheme, for short) is a kind of (deterministic) grammar for generating a possibly- 
infinite ranked tree. The model checking problem for recursion schemes is to decide, given 
an order-n recursion scheme G and a specification ip for infinite trees, whether the tree 
generated by G satisfies tp. Ong [15] has shown that if is a modal /i-calculus formula 
(or equivalently, an alternating parity tree automaton), then the model checking problem 
is n-EXPTIME complete. 

Following Ong's work, Kobayashi |12j has recently applied the decidability result to 
the model checking of higher-order functional programs (precisely, programs of the simply- 
typed A-calculus with recursion and resource creation/access primitives). He considered the 
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resource usage verification problem [7] — the problem of whether programs access dynami- 
cally created resources in a valid manner (e.g. whether every opened file will eventually be 
closed, and thereafter never read from or written to before it is reopened). He showed that 
the resource usage verification problem reduces to a model checking problem for recursion 
schemes by giving a transformation that, given a functional program, constructs a recursion 
scheme that generates all possible resource access sequences of the program. From Ong's 
result, it follows that the resource usage verification problem is in n-EXPTIME (where, 
roughly, n is the highest order of types in the program). This result also implies that vari- 
ous other verification problems, including (the precise verification of) reachability ("Does a 
closed program reach the fail command?" ) and flow analysis ( "Does a sub-term e evaluate 
to a value generated at program point /?"), are also in n-EXPTIME, as they can be easily 
recast as resource usage verification problems. 

It was however unknown whether n-EXPTIME is the tightest upper-bound of the re- 
source usage verification problem. Although the model checking of recursion schemes is 
n-EXPTIME-hard for the full modal /x-calculus, only a certain fragment of the modal /x- 
calculus is used in Kobayashi's approach to the resource usage verification problem. First, 
specifications are restricted to safety properties, which can be described by Biichi tree au- 
tomata with a trivial acceptance condition (the class called "trivial automata" by Aehlig jl] ) . 
Secondly, specifications are also restricted to linear-time properties — the branching struc- 
ture of trees is ignored, and only the path languages of trees are of interest. Thus, one 
may reasonably hope that there is a more tractable model checking algorithm than the 
n-EXPTIME algorithm. 

The goal of this paper is, therefore, to study the complexity of the model checking 
of recursion schemes for various fragments of the modal /x-calculus (or, alternating parity 
tree automata) and to apply the result to obtain tighter bounds of the complexity of the 
resource usage verification problem. 

The main results of this paper are as follows: 

(i) The problem of whether a given Biichi tree automaton with a trivial acceptance 
condition (or, equivalently, alternating parity tree automaton with a single priority 0) ac- 
cepts the tree generated by an order-n recursion scheme is still n-EXPTIME-hard, both 
in the size of the recursion scheme and that of the automaton. This follows from the n- 
EXPTIME-conipleteness of the word acceptance problem of higher-order alternating push- 
down automat4j [S]- 

(ii) We introduce a new subclass of alternating parity tree automata (APT) called 
disjunctive APT, and show that its acceptance problem for trees generated by order-n 
recursion schemes is (n — 1)-EXPTIME complete. From this general result, it follows that 
both the linear-time properties (including reachability, which is actually (n — 1)-EXPTIME- 
complete) and finiteness of the tree generated by a recursion scheme are (n — 1)-EXPTIME. 

(iii) As an application, we show that the resource usage verification problem [12] is 
also (n — l)-EXPTIME-complete, where n is the highest order of types used in the source 
program (written in an appropriate language [E]). 

The rest of this section is organized as follows. Section [2] reviews definitions of recursion 
schemes and alternating parity tree automata (APT). Section [3] introduces the class of trivial 
APT and studies the complexity of model checking recursion schemes. Section U] introduces 
the class of disjunctive APT and studies the complexity of model checking recursion schemes. 



Engelfriet's proof ^ is for a somewhat different (but equivalent) macliine which is called iterated push- 
down automaton. 



COMPLEXITY OF MODEL CHECKING RECURSION SCHEMES 



3 



Section [5] applies the result to analyze the complexity of the resource usage verification. 
Section E] discusses related work and concludes the paper. 



2. Preliminaries 

Let E be a ranked alphabet, i.e. a function that maps a terminal symbol to its arity, 
which is a non-negative integer. Let N = {1, 2, • • • }. A S-labeled (unranked) tree T is a 
partial map from N* to dom{T,), such that s/c € dom{T) (where s € N*,A: E N) implies 
{s} U {sj I 1 < J < A;} C dom{T). A (possibly infinite) sequence vr over N is a path of T 
just if every finite prefix of vr is in dom{T). A tree is ranked just if max{j | s j S dom{T)} 
is equal to the arity of T(s) for each s G dom{T). 



Higher- Order Recursion Schemes. The set of types is defined by: 

K ::= o \ Ki ^ K2 

where o is the type of trees. By convention, associates to the right; thus, for example, 
o — 7- o — 7> o means o — ?• (o ^> o). The order of k, written order{K), is defined by: 

order {o) := 
order (ki ^ K2) ■= max (order (ni) -\- 1, order {^2)). 

A (deterministic) higher-order recursion scheme (recursion scheme, for short) is a quadruple 
^ = (S,A^,7^,S), where 

(i) S is a ranked alphabet of terminal symbols. 

(ii) J\f is a map from a finite set of symbols called non-terminals to types. 

(iii) 7^ is a set of rewrite rules F x ^ t. Here x = xi, ■ ■ ■ , Xn abbreviates a sequence of 
variables, and t is an applicative term constructed from non-terminals, terminals, and 
variables xi, • • • ,Xn- 

(iv) S is a start symbol. 

We require that Af{S) = o. The set of (typed) terms is defined in the standard manner: A 
non-terminal or variable of type k is a term of type k. A terminal of arity A; is a term of 
type o —)••••—)■ o o. If terms ti and t2 have types ki — )■ K2 and ki respectively, then ti t2 

k 

is a term of type K2. By convention, application associates to the left; thus, for example, 
stu means (st) u. For each rule F x ^ t, Fx and t must be terms of type o. There must 
be exactly one rewrite rule for each non-terminal. The order of a recursion scheme is the 
highest order of (the types of) its non-terminals. 

A rewrite relation on terms is defined inductively by: 

(i) U Fx ^ t en, then Fs — >g [s/x]t. 

(ii) If t — >g t' , then t s — >g t' s and s t — >g s t' . 

The value tree of a recursion scheme Q, written |^], is the (possibly infinite) tree obtained 
by infinite rewriting of the start symbol S. More precisely, let us define t-^ by: 

_L if ti^ = _L 

ti-^t2'^ otherwise 

The value tree {Qj is the S U {_L 1— 0}-ranked tree defined by: 



1- {ht2)^ 
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Figure 1 : The tree generated by the recursion scheme of Example [T] 



Here, |J S denotes the least upper bound with respect to the tree order C defined by 

T1QT2 ^ Vs e dom{Ti) . (Tiis) = T2{s) V Ti(s) = ±) 
Note that {GJ is always well-defined, as the rewrite relation — >g is confluent. 
Example 1. Consider the recursion scheme G = (S,7\A, 7^, S) where 
S = {a i-^- 2, b iH^ 1, c i-> 1, e i-^- 0} 

7\A = {S 1-^ o, F i-> (o -> o) ^ o o, I o o, C H> (o ^> o) (o -> o) ^ (o ^ o)} 

n = { 

Fie, 

F/x^a(/x) (F(Cb/)(cx)), 

I X ^ X, 

Cfgx f{gx) 

} 

S is reduced as follows. 

S Fie 

a(/e)(F(Cb/)(ce)) 
ae(a(C7b/(ce)) (F(Cb(Cb/))) (c(ce))) 
^* ae (a (b (c e)) {F (C7b (Cb/))) (c (c e))) 
^* ae (a (b(ce))(a(b2(c2e))(a(b3(c3e)) ...))) 
The value tree is shown in Figure [2j Each path of the tree is labelled by a*""'"^b™c™'e. 



□ 



Alternating parity tree automata. Given a finite set X, the set B^{X) of positive Boolean 
formulas over X is defined as follows. We let 6 range over B'^{X). 

e ::= t\f\x\eAe\eye 
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where x ranges over X. We say that a subset Y of X satisfies 6 just if assigning true to 
elements in Y and false to elements in X \ Y makes 9 true. 

An alternating parity tree automaton (or APT for short) over S-labelled trees is a tuple 
A = {T,,Q,d,qj,^l) where 

(i) E is a ranked alphabet; let m be the largest arity of the terminal symbols; 

(ii) Q is a finite set of states, and qj £ Q is the initial state; 

(iii) 5 : Q X H — > B"''({1, • • • ,m} x Q) is the transition function where, for each / E S 
and q G Q, we have 6{q, f) £ B+({1, • • • , arity{f)} x Q); and 

(iv) Q : Q — > {0, • • • , M — 1} is the priority function. 

A run-tree of an APT A over a S-labelled ranked tree T is a {dom{T) x Q)-labelled 
unranked tree r satisfying: 

(i) e € dom{r) and r(e) = {e,qj); and 

(ii) for every /3 G dom{r) with r(/3) = (a,g), there is a set S that satisfies 5{q,T[a))] and 
for each {i.,q') G S, there is some j such that j3 j G dom{r) and r{/3 j) = {ai,q'). 

Let TT = TTi 7r2 • • • be an infinite path in r; for each i > 0, let the state label of the 
node TTi • • • vTj be g„. where qng, the state label of e, is g/. We say that vr satisfies the parity 
condition just if the largest priority that occurs infinitely often in il((/„(j) i}(qn-^) i}{qn2) ■ ■ ■ 
is even. A run-tree r is accepting if every infinite path in it satisfies the parity condition. 
An APT A accepts a (possibly infinite) ranked tree T if there is an accepting run-tree of A 
over T. 

Ong [15] has shown that there is a procedure that, given a recursion scheme Q and an 
APT A, decides whether A accepts the value tree of Q. 

Theorem 2.1 (Ong). Let Q be a recursion scheme of order n, and A he an APT. The 
problem of deciding whether A accepts \Q\ is n-EXPTIME-complete. 

As usual (following [E]), we restrict our attentions to recursion schemes whose value 
trees do not contain _L in the rest of the paper. Given a recursion scheme Q that may 
generate _L and an APT A, one can construct Q' and A' such that (i) A accepts {GJ if and 
only if A' accepts {G'}, and (ii) G' does not generate _L. 

3. Trivial APT and the Complexity of Model Checking 

APT with a trivial acceptance condition, or trivial APT (for short), is an APT that has 
exactly one priority which is even. Note that trivial APT are equivalent to Aehlig's "trivial 
automata" [1] (for defining languages of ranked trees). 

The first result of this paper is a logical characterization of the class of S-labelled ranked 
trees accepted by trivial APT. Call S the following fragment of the modal mu-calculus: 

-0 ::= t I f I P/ I Z I A V I V -0 I {i)(t> I i^Z.cl) 

where / ranges over symbols in a S, and i ranges over {1, • • • , arity{Ti)}. (We think of S 
as the "safety" fragment.) We give a characterization of trivial APT. A proof is given in 
Appendix E 

Proposition 3.1 (Equi- Expressivity). The logic S and trivial APT are equivalent for defin- 
ing possibly-infinite ranked trees. Le. for every closed S -formula, there is a trivial APT that 
defines the same tree language, and vice versa. 



'Note, however, that the transformation does not preserve the class of trivial APT considered in Section|3] 
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We show that the model checking problem for recursion schemes is n-EXPTIME com- 
plete for trivial APT. The upper-bound of n-EXPTIME follows immediately from Ong's 

result [15] • To show the lower-bound, we reduce the decision problem of u; G ^(A), where w 
is a word and A is an order-n alternating PDA, to the model checking problem for recursion 

7 

schemes. n-EXPTIME hardness follows from the reduction, since the problem oi w £ ^{A) 
is n-EXPTIME hard [6]. 

Definition 3.2. An order-n alternating PDA (order-n APDA, for short) for finite words is 
a 7-tuple: 

A = {P, A, po, T, S, A, F) 
where P is a set of states, A : P — t- {A, E} partitions states into universal and existential, 
Po is the initial state, P is a stack alphabet, S is an input alphabet, F Q P is the set of 
final states, and ACPxrx(SU {e}) x P x Op^ is a transition relation. A configuration 
of an order-n APDA is of the form (p, s) where s is an order-n stack (an order-1 stack is 
an ordinary stack, and an order-(A; -|- 1) stack is a stack of order-A; stacks). The induced 
transition relation on configurations is defined by the rule: 

if {p, topi{s),a,p' ,9) e A, then {p,s) — >a {p',0is)) 

where 6 € Op^ is an order-n stack operatior^ and topi{s) is the stack top of s. 

Let w he a word over S. We write Wi (where < i < \w\) for the i-th. element of 
w. A run tree of an order-n APDA over a word u; is a finite^ unranked tree satisfying the 
following. 

(i) The root is labelled by (poi J-m 0), where _L„ is the empty order-n stack. 

(ii) If a node is labelled by (p, s, z), then one of the following conditions holds, where 

■~:={{p\e{s),i + l) I (p, top^{s),Wi,p',e) G AAi < 
\j{[p\e{s),i) I (p, top^[s),e,p',e) G A}. 

• p £ F and i = \w\] 

• \{p) = A and the set of labels of the child nodes is H; or 

• X{p) = E and there is exactly one child node, which is labelled by an element of H. 
(It follows that the leaves of a run tree are labelled by (p, s,\w\) with p £ F, oi (p, s, i) 
with \{p) = A and H = 0.) 

An order-n APDA A accepts w if there exists a run tree of A over w. 

Engelfriet [6] has shown that the word acceptance problem for order-n APDA is n- 
EXPTIME complete. 

Theorem 3.3 (Engelfriet). Let A he an order-n APDA and w a finite word over S. The 

7 

problem of w £ ^{A) is n-EXPTIME complete. 

■^Assume an order-n stack, where n > 2. An order-1 push operation is just the standard operation that 
pushes a symbol onto the top of the top order-1 stack; the order-1 pop operation removes the top symbol 
from the top order-1 stack. For 2 < i < ri, the order-i push operation duplicates the top order-(i — 1) stack 
of the order-n stack; the order-i pop operation removes the top order-(i — 1) stack. The set Op^ of order-n 
stack operations consists of order-i push and order-i pop for each 1 < i < n. For a formal definition, see, for 
example, the FoSSaCS 2002 paper of Knapik et al. 
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To reduce the word acceptance problem of order-n APDA to the model checking prob- 
lem for recursion schemes, we use the equivalence [TU] between order-n saf^ recursion 
schemes and order-n PDA as (deterministic) devices for generating trees. 

Definition 3.4. An order-n tree- generating PDA is a tuple A = {T,,T,Q,5,qo) where S 
is a ranked alphabet, T is a stack alphabet, Q is a finite set of states, qq & Q is the initial 
state, and 

6 : QxT ^ (Qx Op„ U {(/; Qir ■ ■ 1 Qarity{f) 
is the transition function. A configuration is either a pair (q, s) where q & Q and s is an 
order-n stack, or a triple of the form (/; qi - ■ ■ qarity(f)'i where / € S and qi - ■ ■ qarity{f) ^ 
Q*. Let S be the label-set | / € S, 1 < i < arity{f)} U {a G S | arity{a) = 0}. We 

define the labelled transition relation between configurations induced by 6: 

{q,s) A iq',9{s)) ii6iq,top,{s)) = {q',9) 

{q,s) A {f;q;s) if 6{q,topi{s)) = {f;q) and arity{f) > 1 

{q, s) (a; e; s) if 5{q, topi{s)) = (a; e) and arity{a) = 

{f;q; s) {qi, s) where 1 < z < arity{f) 

Let tt; be a finite or infinite word over the alphabet S. We say that u; is a trace of A just 

if there is a possibly-infinite sequence of transitions {qo, _L„) -V 71 • • • ^ 7m '— ■ ■ ■ such 
that w = £1^2 ■ ■ ■ • We say that A generates a S-labelled tree t just in case the branch 
languag^ of t coincides with the set of maximal traces of A. 

Theorem 3.5 (Knapik et al. [lO])- There is an effective transformation that, given an 
order-n tree- generating PDA A4, returns an order-n safe recursion scheme Q that generates 
the same tree as A4. Moreover, both the running time of the transformation algorithm and 
the size of Q are polynomial in the size of ^A . 

By Theorems 13. 31 and 13. 51 it suffices to show that, given a word w and an order-n APDA 
A, one can construct an order-n tree-generating PDA M._a^w and a trivial APT B such that 
w is accepted by A if, and only if, the tree generated by Ma,w is accepted by B. 

Let w he a, word over S. From w and A= {P, \,pq,T, S, A, F) above, we construct an 
order-A; PDA M^x^w for generating a {A, E, R, T}-labelled tree, which is a kind of run tree of 
A over the input word w. The node label A (E, respectively) means that ^ is in a universal 
(existential, respectively) state; T means that A has accepted the word, and R means that 
A is stuck (no outgoing transition). 

^An order-n recursion scheme is safe if it satisfies a certain condition called safety [TT]. We use the 
equivalence between safe recursion schemes and higher-order PDA just to prove the lower-bound, so that 
the knowledge about the safety constraint is not required. See [111 [2] for details of the safety constraint. 

■^The branch language of t : dom{t) — > E consists of 

(i) infinite words (/i , di)(/2, d^) ■ ■ ■ just if there exists di ^2 ■ ■ • € {1, 2, ■ • • , m}" (where m is the maximum 
arity of the E-symbols) such that t{di ■ ■ ■ di) — /i+i for every i > 0; and 

(ii) finite words (/i, di) ■ ■ ■ (/„, d„) fn+i just if there exists di ■ ■ ■ d„ £ {1, ■ ■ ■ , m}* such that t(di • • • di) — 
fi+i for < i < n, and the arity of /n+i is 0. 
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Let N be maXggp^aGS,7er|{('?'5 a', ^) I 7; o', g', ^) € A, a' € {a,e}}|. I.e. N is the 
degree of non-determinacy of A. We define 

Ma,w = ({a ^ iv, e ^ iv, t ^ 0, r ^ 0}, r, g, 6, (po, o)) 

where: 

- Q = {Px{0,...,\w\}) U {qj, q±} U (P x {0, . . . , x Op J 

- 6 :QxT — y {Qx Op^U {{g;qi, . ..,qk)-ge {A,E,T,R},/c > 0,qi,.. .,qke Q}) is given 
by: 

(1) 6{{p,\w\),j) = {T-e), if peF 

(2) 6{{p,i),-/) = (A; {pi,ji,6i), {pm,jm,dm), qT, ■ -^1t) 

N-m 

if X{p) = A and {{pi,ji,9i), {Pm,jm,dm)} is: 

{{p',i + l,e) I {p,j,Wi,p',e)eAAi< \w\}U{{p',i,9) I {p,j,e,p',e) eA} 

(3) 6{{p,i),-f) = (E; {pi,ji,6i), {pm,jm,0m), q±, ■ -j ,q±) 

N-m 

if X{p) = E and {{pi,ji,9i), {Pm,jm,dm)} is: 

{{p',i + l,e) I (p,7,t/;i,p',^) G AAi< |'«;|}U{(y,i,e) | {p,j,e,p' ,6) e A} 

(4) 5((p,^,0),7) = ((p,^),e) 

(5) %T,7) = (T;e) 

(6) %±,7) = (R;e) 

Rules (2) and (3) are applied only when rule (1) is inapplicable. A^^,^ simulates A over 
the word w, and constructs a tree representing the computation of A. A state {p, i) G 
P X {0, . . . , |w| — 1} simulates ^ in state p reading the letter Wi. A state {p, i, 9) simulates 
an intermediate transition state of A, where 6 is the stack operation to be applied. The 
states q-j and q± are for creating dummy subtrees of nodes labelled with A or E, so that the 
number of children of these nodes adds up to N , the arity of A and E. Rule (1) ensures that 
when A has read the input word and reached a final state, Ma,w stops simulating A and 
outputs T. Rule (2) is used to simulate transitions of ^ in a universal state, reading the 
i-th input: Aij^^w constructs a node labelled A (to record that A was in a universal state) 
and spawns threads to simulate all possible transitions of A. Rule (3) is for simulating A 
in an existential state. Note that, if A gets stuck (i.e. if there is no outgoing transition), all 
children of the E-node are labelled R; thus failure of the computation can be recognized by 
the trivial APT given in the following. Rule (4) is just for intermediate transitions. Note 
that a transition of A is simulated by Mji^^w in two steps: the first for outputting A or E, 
and the second for changing the stack. 

Now we construct a trivial APT B that accepts the tree generated by A1^,to if, and 
only if, w is not accepted by A. The trivial APT B is given by: 

B := {{k,E,T,R},{qo},d,qo,{qo ^ 0}) 

where: 

15(90, A) = ViIi(^)9o) ^(9o,E) = AiIi(^,9o) 5(go,T)=f 6{qo,R)=t 
Intuitively, B accepts all trees representing a failure computation tree of A. If the automaton 
in state go reads T (which corresponds to an accepting state of A), it gets stuck. Upon 
reading A, the automaton non-deterministically chooses one of the subtrees, and checks 
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whether the subtree represents a failure computation of A. On the other hand, upon 
reading E, the automaton checks that all subtrees represent failure computation trees of A. 
By the above construction, we have: 

Theorem 3.6. Let w be a word, and A an order-n APDA. Then w is not accepted by A 
if, and only if, the tree generated by is accepted by B. 

Corollary 3.7. The trivial APT acceptance problem for the tree generated by an order-n 
recursion scheme (i.e. whether the tree generated by a given order-n recursion scheme is 
accepted by a given trivial APT) is n-EXPTIME hard in the size of the recursion scheme. 

By modifying the encoding, we can also show that the model checking problem is n- 
EXPTIME-hard in the size of the APT. The idea is to modify Mji,^w so that it generates a 
tree representing computation of A over not just w but all possible input words, and let a 
trivial APT check the part of the tree corresponding to the input word w. As a result, the 
trivial APT depends on the input word but the tree-generating PDA does not. 

We make the following two assumptions on A (without loss of generality): 

(i) In each state, if A can perform an e-transition, then A cannot perform any input 
transition i.e. {{p',9) \ 3a G 7, a,p', ^) G A} / implies {(p',^) | (p, 7,6,^,0) G 
A} = 0. 

(ii) There is no transition from a final state i.e. if p G -F then {{p'^O) | 3a G S U 
{e}.(p,7,a,p',^)G A} = 0. 

Given an order-n APDA A and a word we shall construct and such that w 
is not accepted by A if, and only if, the tree generated by M'ji^ is accepted by B^. The 
difference from the construction of M.a,w and B above is that does not depend on w. 
The idea is to let M'j^ generate a tree representing the computations of A over all possible 
inputs. We then let B^ traverse the part of the tree corresponding to the computation over 
w, and check whether the computation is successful. 

We define a tree-generating PDA M.\ = (S', P, Q, 5, go) where: 

- S' = {Read H> Accept H> 0, Epsilon i-^- 1, A H> iV, E H> iV, T 1-^ 0, R 1-^ 0} 

- Q = P U (Px (SU{e})) U {qT.qi.} U (P x Op^) 

- qo = po 

- (5 is given by: 

7) = (Accept; e) if p G P 
5(p, 7) = (Epsilon; ((p,e), id)) il {{p' ,6) \ (p, 7, e,p', 0) G A} / 0. 
5(p,7) = (Read; ((p,ai), id), . . . , ((p,a„), id)) 

ifp0P, {{p',e) I (p,7,e,p',0) G A} = 0andS = {ai,...,a„}. 
^((p,"),7) = (A; {{Pl,Oi), {Pm,Om),qT, ■ ■ ■ ,9t)) 

if X{p) = A and 

{iPi,ei),...,ipm.,em)} = {ip',o) I {p,j,a,p',e)GA} 

'5((p,"),7) = (E; ((^1,6*1), • • • , {pm,Om),q±, ■ ■ ■,q±)) 

if X{p) = E and 

{iPi,ei),...,ipm,em)} = {ip',o) I ip,j,a,p',e)GA} 
s{{p,e),^) = {p,9) 

%T,7) = (T;e) 
5{q±,^) = (R;e) 
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In a final state of A, outputs a node labelled with Accept, to indicate that A has 
reached a final state, and stops simulating A (as, by assumption (ii) above, there is no 
outgoing transition). In a state where A has e-transitions, outputs a node labelled 
with Epsilon, and then simulates all the possible e-transitions of A. In a state where A 
has input transitions, outputs a node labelled with Read to indicate that A makes an 
input transition, and then simulates the input transition for each possible input symbol. 
Note that by the assumptions (i) and (ii) above, these three transitions are disjoint. The 
remaining transition rules are analogous to those of Mj^^y^. 
Define the trivial APT by = ( S', Q' , 6, qo, ^) where: 

Q' = {qo,---,q\w\} 

5(g, Epsilon) = (l,g) for every q € Q' 

6{qi, Read) = (j, gj+i) if < z < — 1 and Wi = aj 

5(g|^|,Read) = t 

d{qi,k) = {l,q,)\/---y{N,qi) 

S{qi,E) = {l,q^)A---A{N,qi) 

(5(g|^|, Accept) = f 

5(gj, Accept) = t for every < i < |tt;| 
5{q, T) = f for every q £ Q' 
5{q, R) = t for every q £ Q' 

and il. is the trivial priority function. 

The trivial APT Bw traverses the tree generated by (which represents transitions 
of A for all possible inputs), while keeping track of the position of the input head of A in 
its state {qi means that A is reading the i-th letter of the word w). Upon reading Read 
in state qi, proceeds to traverse the branch corresponding to the i-th letter (i.e. Wi). 
Reading Accept in state q\yj\ means that A accepts the word w, so that the run of B^ fails 
(recall that B^ accepts the tree just if A does not accept w). Reading Accept in state qi 
(with i < \w\) on the other hand means that A does not accept w, so that the run of Bw 
succeeds. The remaining transition rules are analogous to those of B. 

By the construction above, w is not accepted by A if, and only if, the tree generated 
by is accepted by Bw Since only B^ depends on the input word w, we get: 

Theorem 3.8. The trivial APT acceptance problem of trees generated by order-n recursion 
schemes is n-EXPTIME-hard in the size of the APT. 

To our knowledge, the lower bound (of the complexity of model-checking recursion schemes) 
in terms of the size of APT for the entire class of APT is new. 

4. Disjunctive APT and Complexity of Model Checking 

A disjunctive APT is an APT whose transition function 6 is disjunctive, i.e. 6 maps each 
state to a positive boolean formula 6 that contains only disjunctions and no conjunctions, 
as given by the grammar 9 ::= t | f | (i, g) | V0. Disjunctive APT can be used to describe 
path (or linear-time) properties of trees. 

First we give a logical characterization of disjunctive APT as follows. Call T> the 
following "disjunctive fragment" of the modal mu-calculus: 

(/), -0 ::= \ Pf A(t) \ Z \ (t)\J Tp \ {i)(t) \ uZ.cj) \ ^Z.(j) 
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where / ranges over symbols in S, and i over {1, • • • ,m} where m is the largest arity of the 
symbols in S. A proof of the following proposition is given in Appendix 1X1 

Proposition 4.1 (Equi-Expressivity) . The logic T> and disjunctive APT are equivalent for 
defining possibly -infinite ranked trees. I.e. for every closed T> -formula, there is a disjunctive 
APT that defines the same tree language, and vice versa. 

Remark 1. For defining languages of ranked trees, disjunctive APT are a proper subset 
of the disjunctive formulas in the sense of Walukiewicz and Janin [8]. For example, the 
disjunctive formula (1 — )■ {t}) A (2 ^ {t}) is not equivalent to any disjunctive APT. 

In the rest of the section, we show that the model checking problem for order-n recursion 
schemes is (n — 1)-EXPTIME complete for disjunctive APT. 

4.1. Upper Bound. Since our proof is based on Kobayashi and Ong's type system for 
recursion schemes |13j and relies heavily on the machinery and techniques developed therein, 
we shall just sketch a proof here; a detailed proof will be presented in the journal version 
of |13j . An alternative proof, also sketched but based on variable profiles [15], is given in 
Appendix [Bj 

Theorem 4.2. Let Q be an order-n recursion scheme and B a disjunctive APT. It is 
decidable in (n — 1)-EXPTIME whether B accepts the value tree \Q\. 

In a recent paper [13], we constructed an intersection type system equivalent to the 
modal mu-calculus model checking of recursion schemes, in the sense that for every APT, 
there is a type system such that the tree generated by a recursion scheme is accepted by the 
APT if, and only if, the recursion scheme is typable in the type system. The model checking 
problem is thus reduced to a type checking problem. The main idea of the type system is 
to refine the tree type o by the states and priorities of an APT. The type q describes a tree 
that is accepted by the APT with q as the start state. The type (6*1,777,1) A {62,^12) — >■ q, 
which refines the type o — >■ o, describes a tree function that takes an argument which has 
types 61 and 62, and returns a tree of type q. 

The type checking algorithm presented in |13] is 77-EXPTIME in the combined size of 
the order-ri recursion scheme and the APT (more precisely!^ 0(r^~'~L'"/2Jexp,„((a \Q\ m)^^^)) 
for n > 2, where r is the number of rules, a is the largest arity of the symbols in the scheme, 
m is the largest priority, and IQI is the number of states). The bottleneck of the algorithm 
is the number of (atomic) intersection types, where the set T(k) of atomic types refining a 
simple type k is inductively defined by: 

r(o) := Q 

r{Ki^K2) := {A'5^^l^er(K2),5cr(Ki) xp} 

where Q and P are the sets of states and priorities respectively. 

According to the syntax of atomic types above, the number of atomic types refining a 
simple type of order n is n-exponential in general. In the case of disjunctive APT, however, 
for each type of the form o —)■••• ^ o ^ o, we need to consider only atomic types of the 
form /\Si ^ ■ ■ ■ ^ /\Sk ^ q, where at most one of the Sj's is a singleton set and the 
other Sj's are empty. Intuitively, this is because a run-tree of a disjunctive APT consists 

'^According to Schewe's recent result [IT] on the complexity of parity games, the part r^'^^'^^^^ can be 
further reduced to roughly r^+"^/^ _ 
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of a single path, so that the run-tree visits only one of the arguments, at most once. In 
fact, we can show that, if a recursion scheme is typable in the type system for a disjunctive 
APT, the recursion scheme is typable in a restricted type system in which order-1 types 
are constrained as described above: this follows from the proof of completeness of the type 
system |13j . along with the property of the accepting run-tree mentioned above. Thus, the 
number of atomic types is x |(5| x x (whereas it is exponential for an arbitrary APT). 
Therefore, the number of atomic types possibly assigned to a symbol of order n is (n — 1)- 
exponential. By running the same type checking algorithm as ibid, (but with order-1 types 
constrained as above), order-n recursion schemes can be type-checked (i.e. model-checked) 
in (n - 1)-EXPTIME. 

4.2. Lower Bound. We show the lower bound by a reduction of the emptiness problem 
of the finite-word language accepted by an order-n deterministic PDA, which is (n — 1)- 
EXPTIME complete [6]. 

Let A be an order-n deterministic PDA, given hy A = {P,pq,T,Y,,5,F) where 5 is a 
partial function from P x (S U {e}) x T to P x Op^. We shall construct an order-n tree- 
generating PDA A4j[, which simulates all possible input and e-transitions of A, and outputs 
e only when A reaches a final state. 

The order-n PDA Mj[ is given by: 

Ma = ({e 0} U {br^ ^ m \ < m < N},T, P U {P x OpJ,6',po) 

N = maxp^p^^^r\{ip',9') I 3a G S U {e}.(5(p, a, 7) = ip',e')}\ 
d'{p,j) = (e;e) if p G F 

S'{P, 7) = (br^; {Pl,0l), {pm, Ora)) 

■lip^F and {(r, 0i), . . . , {prn, er,^)} = {{p' , 0') I 3a G S U {e}.6{p, a, 7) = {p' , 0')} 
S'{{p,9)n) = ip,0) 

A state of is either a state of A (i.e. an element of P), or a pair {p, 9). In state p P, 
Ad A constructs a node labeled by br^, and spawns subtrees for simulating possible input 
or e-transitions of A from state p. 

By a result of Knapik et al. |lUj . we can construct an equi-expressive order-n safe 
recursion scheme Q. Let Q' be the recursion scheme obtained from Q by (i) replacing each 
terminal symbol br^ {m > 2) with a non-terminal Brm of the same arity, and (ii) adding 
the rule: 

Brm Xi ■■■ Xm^ tir2 xi (br2 X2(- • • (br2 Xm-l Xm)))- 
By the construction, the finite word-language accepted by A is non-empty if, and only if, 
the value tree of G' has a node labelled e. The latter property can be expressed by the 
following disjunctive APT B. (The purpose of transforming Q into Q' was to make the 
disjunctive APT independent of A.) 

^ ■= ({9o},{e,br2},(5,(7o,{go ^ 1}) 

where 5(go,br2) = (l,g'o) V (2,0^0) and 5{qQ,e) = t 

Thus, we have: 

Theorem 4.3. The disjunctive APT acceptance problem for the tree generated by an order- 
n recursion scheme is (n — l)-EXPTIME-hard in the size of the recursion scheme. 
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The problem is {n — 1)-EXPTIME hard also in the size of the disjunctive APT. 

As above, let A = {P,po,T,T,,6, F) be an order-?! deterministic PDA for words. We 
may assume that the stack alphabet is {70, 7i} (as we can encode an arbitrary stack symbol 
as a sequence of 70 and 71). 

We first define an order-n tree-generating PDA A4 by: 

M = {{7o,1i},{io,1i},{Qo,0i,--- ,Ok},qo,SM) 
SM{qo,li) = iluOi, ■■■,0k) 

where {^i, . . . ,9^} is the set of order-n stack operations. The role of Ai is to generate a 
tree simulating all the possible changes of the stack top. Note that A4 is independent of A. 
Now let us define a disjunctive APT = ( P, {70, 71}, 5' ,Po, ^) as follows. 

_ / y{ij,p')\3a.5ip,^„a) = ip\e,)} \i p ^ F 
IP,7J - I ^ if p G F 

n{p) = 1 

The idea of the above encoding is to let I?_4 simulate transitions of A, while extracting 
information about the stack top from the tree generated by A4. Let G be an order-n 
recursion scheme that generates the same tree as M. By the above construction, the 
language of A is non-empty if, and only if, P_4 accepts the tree generated by Q. Since the 
size of G does not depend on A, and the size of is polynomial in the size of A, we have: 

Theorem 4.4. The disjunctive APT acceptance problem for trees generated by order-n 
recursion schemes is (n — 1)-EXPTIME hard in the size of the APT. 



4.3. Path Properties. Path properties of S-labelled trees are relevant to program verifi- 
cation, as demonstrated in the application to resource usage analysis in Section [5l The path 
language of a S-labelled tree t is the image of the map F, which acts on the elements of 
the branch language of t by "forgetting the argument positions" i.e. 

p . [ {fi,di){f2,d2)--- ^ /i/2--- 

1 (/l,dl) •••(/«, (in) /n+1 ^ fl---fnfn+l- 

For example {f , f f a,'^ , f f b'^} is the path language of the term-tree f a{f ab). Let Q be 
a recursion scheme. We write W [Q) for the path language of |^]. Thus elements of W {Q) 
are infinite words over the alphabet S which is now considered unranked (i.e. arities of the 
symbols are forgotten). 

Theorem 4.5. Let Q be an order-n recursion scheme. The following problems are (n — 1)- 
EXPTIME complete. 

(i) W {Q) D C{C) = 0, where C is a non-deterministic parity word automaton. 

? 

(ii) W (^) C C{C), where C is a deterministic parity word automaton. 

Furthermore, the problem (i) is (n — 1)-EXPTIME hard not only in the size of Q but also 
in the size of C. 

Proof. (i) Let C = (Q, S, A, qi, Q) be a non- deterministic parity word automaton, 
where A Q Q x T, x Q and Q : Q — > {0, • • • ,p}. Let m be the largest arity of the symbols 
in S. (Biichi automata are equivalent to parity automata with two priorities.) We have 
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W (g) n C{C) + if, and only if, [^1 is accepted by the APT S = ( Q, S, 5, qi, O) where 
b : Q — \ B+({1, • • • ,m} x Q) is a disjunctive transition function 

S ■■ (qJ) ^ \/{{i,p):l<i<m),{QJ,P)^^}- 

It fohows from Theorem 14.21 that the problem W (Q) nC{C) = can be decided in (n — 1)- 
EXPTIME. 

Let C be a parity word automaton that accepts S* e'^, and Q' be the recursion scheme in 
Section 1121 Then, W {Q') n C{C) / if, and only if, g' has a node labelled e. Thus, the 

problem W (G) n C{C) = is (n - l)-EXPTIME-hard in the size of Q. 

To show the lower bound in the size of C, we modify the construction of A4 and as 
follows. Let M' be the order-n tree-generating PDA given by: 

M := { {70, 71, 6*1, • • • , Ok}, {70, 71}, {qo, 91, • • • , qk,Oi, ...,0k,}, qo,S) 
S{qo, 7i) = {li;qi,---, Qk) for O < i < l 
Hqj,li) = {Oi-, Oi) for < i < 1, 1 < i < A: 
<5(%, 7i) = {qo, 0i) for < i < 1, 1 < J < A: 

The difference from Ai is that M' outputs not only stack top symbols but also stack 
operations (which were coded as branch information in the case oi Ai). Let be the 
non-deterministic parity word automaton given by: 

Ca:={PU{Px {0,1}), {70,71}, 5',P0,f^) 
S'{p,li) = {{P,i)} iip^F 
5'{ip,i),0,) = {p' I 3a.6{p,^„a) = {p',ej)} 
^'{P,li) = {p} if p € F 
5'{p,0j) = {p} 

2 if p e F4 
otherwise 



m = { I 



Let ^ be a recursion scheme that generates the same tree as A4' . Then, the language of A is 

empty if, and only if, W (^) n/:(C^) = 0. Since G does not depend on A, W {g)nC{C) = 
is (n - 1)-EXPTIME hard also in the size of C. 

(ii) Let C be a deterministic parity word automaton C = {Q,Ti, 5c, qo, where 6c ■ Qx 
S — > Q and : Q — > {0, • • • ,p}. Define A = ( Q, S, 6c, qo, ^) where Q : q {^{q) + !)• 
Note that because of determinacy, C{C) = S*^ \ C{C). Now we have W (G) Q >C(C) if, and 

only if, W{g) n C{C) = 0. Thus, the problem W (Q) <L C{C) is (n - 1)-EXPTIME. 
Moreover, since the language S* e'^ is accepted by a deterministic parity word automaton, 
the problem is also (n — 1)-EXPTIME hard (in the size of Q). 

□ 

The decision problems REACHABILITY (i.e. whether |^] has a node labelled by a given 
symbol e) and Finiteness (i.e. whether [t/J is finite) are instances of Problem (i) of Theo- 
rem hence they are in (n — 1)-EXPTIME (the former is (n — 1)-EXPTIME complete, 
by the proof of Section 14. 2p . 

Consider the problem LTL Model-Checking: 
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"Given an LTL-formula (p (generated from atomic propositions of the form 
Pf with / G S) and an order-re recursion scheme Q, does every path in |^] 
satisfy cpl (Precisely, is W (G) C |,/.]?)" 

As a corollary of Theorem 14.51 we have: 

Corollary 4.6. LTL Model-Checking (i.e. given order-n recursion scheme Q and LTL- 
formula (j), is W {Q) C |<^] ?j is (n — 1)-EXPTIME complete in the size of Q. 

Proof. The upper bound follows from Theorem 14.5( 1): note that W (^) C |(^] is equivalent 
to W {Q) n [-!(/>] = 0, and because \-^4)\ is w-regular, it is recognizable [18] by a parity 
automaton. 

The lower bound follows from the (re-l)-EXPTlME hardness of Reachability: check- 
ing whether a recursion scheme satisfies the formula G{-^e) is (re — 1)-EXPTIME hard in 
the size of the recursion scheme. □ 

Note however that LTL Model- Checking is re-EXPTIME in the size of the LTL-formula 
(j), as the size of the corresponding parity word automaton is exponential in (p in general |19j . 



5. Application to Resource Usage Verification 

Now we apply the result of the previous section to show that the resource usage verification 
problem [7] is (re — 1)-EXPTIME complete. The aim of resource usage verification is to 
check whether a program accesses each resource according to a given resource specification. 
For example, consider the following program. 

let rec g x = if randO then close(x) else (read(x) ; g(x)) in 

let r = open_in "foo" in g(r) 

Here, randO returns a non-deterministic boolean. The program first defines a recursive 
function g that takes a file pointer x as an argument parameter, closes it after some read 
operations. The program then opens a read-only file "foo", and passes it to g. For this 
program, the goal of the verification is to statically check that the file is eventually closed 
before the program terminates, and after it is closed, it is never read from or written to. 

Kobayashi [T2] recently showed that the resource usage verification problem is decidable 
for the simply-typed A-calculus with recursion, generated from a base type of booleans, 
and augmented by resource creation/access primitives, by reduction to the model checking 
problem for recursion schemes. Prior to Kobayashi's work [12], only sound but incomplete 
verification methods have been proposed. 

Following [12] . we consider below a simply-typed, call- by-name functional language 
with only top-level function definitions and resource usage primitives Q A program is a 
triple {D,S,C) where D is a set of function definitions, S" is a function name (representing 
the main function), and C = {Qc, 9o,C) Fc) is a deterministic word automaton, which 

describes how the state of a resource is changed by each access primitive. A function 
definition is of the form F x = e, where e is given by: 

e ::= * | x | | 6162 | If* ei 62 | New'^ e | AcCq ei 62 

The term -k is the unit value. The term If* ei 62 is a non-deterministic branch between ei 
and 62- The term New"^ e creates a fresh resource, and passes it to e (which is a function 



Note that programs in call-by-value languages can be transformed into this language by using the 
standard CPS transformation and A-lifting. 
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that takes a resource as an argument). Here, q represents the initial state of a resource; the 
automaton C specifies how the resource should be accessed afterwards: see the operational 
semantics given later. The term Acc^ ei 62 accesses the resource ei with the primitive of 
name a(€ Sc) and then executes €2- 

Programs must be simply typed; the two base types are unit for unit values and R 
for resources. The body of each definition must have type unit (in other words, resources 
cannot be used as return values; this requirement can be enforced by the CPS transformation 
[mis]). The constants If*, New'', and Acc a are given the following types. 

If* : unit unit — > unit. New'' : (R — > unit) — > unit, AcCq : R — > unit unit 

Example 5.1. The program given at the beginning of this section can be expressed as 
(D, S, C) where 

D = {S= New«i (G ★), G k x = If* (Acc^ x k) (Acc,. x {G k x))} 
C = ({gi,g2},{r, c},(5,gi,{g2}) 

Here, G corresponds to the function g in the original program, and the additional parameter 
k represents a continuation. The automaton C specifies that the resource should be accessed 
according to r*c. 

We introduce the operational semantics to formally define the resource usage verification 
problem. A run-time state is either an error state Error or a pair (p, e) where /? is a finite 
map from variables to Qc, which represents the state of each resource. The reduction 
relation — >£,fi on run-time states is defined by: 

Fx = e'eD 
{p,Fe) ~^D,c (p, [e/x]e') 



(/9,If* ei 62) — >D,C (/0,ei) 

(p,If* ei 62) — >D,C (yO, 62) 

X dom{p) 
(/),New5 e) — >Dfi {p{x ^ q},ex) 

k{q,a) = (j 

{p{x ^ g}, Acca X e) — >Bfi {p{x ^ 9'},e) 

5c{q,a) is undefined 
{p{x I— >■ q}, AcC(j X e) — )-D,c Error 
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Example 5.2. Recall the program in Example 15. II It can be reduced as follows. 

(0,5) ^D,c (0,New«i (G*)) 

— >D,c ({y H> gi},G * y) 

— >D,c {{y H> gi},If* (Accc y -k) (Acc,. y {G -k y))) 

— >D,c ({y H> gi}, Accr y (G ★ y)) 

— >D,c {{y ^ qi},G -k y) 

— >D,c {{y ^ ft}, If* (Accc y ★) (Acc,, y {G -k y))) 

— >D,c {{y H> qi}, Accc y -k) 

— >D,e {{y^q2},*) 

We can now formally define the resource usage verification problem. 

Definition 5.3 (resource usage verification problem). A program {D,S,C) is resource- 
safe if (i) (0,5) T^Dfi Error, and (ii) if (0,5) — ^J^^ (P'*) ^^^^ Pi^) ^ for every 
X € dom{p). The resource usage verification is the problem of checking whether a program 
is resource-safe. 

Example 5.4. The program given in Example 15. II is resource-safe. The program obtained 
by replacing the body of G (i.e. If* (AcCc x k) (Acc,. x {G k x))) with Acc^ x (Gkx) is 
also resource-safe; it does not terminate, so that it satisfies condition (ii) of Definition 15.31 
vacuously. The program D' obtained by replacing the definition of G with: 

G k x = If* k (AcCr X {G k x)) 

is not resource-safe, as (0, 5) — >*j^, ^ {{y i-> qi},*) and qi ^ Fq. 

We show below that the resource usage verification is (n — 1)-EXPTIME complete for 
n > 3, where n is the largest order of types of terms in the source program. Here, the order 
of a type is defined by: 

order(unit) = order(lV) = 1 order^Ki — t- ^2) = max{order{Ki) + 1, order{n2)) 

Note that 3 is the lowest order of a closed program that creates a resource, since New'^ has 
order 3. 

The lower-bound can be shown by reduction of the reachability problem for a recur- 
sion scheme to the resource usage verification problem: Given a recursion scheme G = 
(Ti,Af,TZ,S), let {D,S,C) be the program given by: 

D = {Fx = g2p{t) \ Fx ^teTl}\J {Fail x = AcCf an x ★} 
g2p{Fti ■ ■ ■ tm) = Fg2p{ti) ■ ■ ■ g2p{tm) 
g2p{e) = New*^ Fail 

g2p{ah ■■■tm) = If* g2p{ti) (• • • (If* g2p{t„,-i) g2p{t^))) {a / e) 
C = (M,{fail},0,(?,{g}) 

Then, the value tree of Q contains e if and only if the program [D, 5, C) is not resource-safe. 
Since resource primitives occur only in the encoding of e, the order of the program is the 
maximum of 3 and the order of the recursion scheme. 

To show the upper-bound, we transform a program (D, 5, C) into a recursion scheme 
Q[D,Sfi)-> which generates a tree representing all possible (resource- wise) access sequences of 
the program [12], and a disjunctive APT I^(d,5,c)5 which accepts trees containing an invalid 
resource access sequence, so that {D,S,C) is resource-safe if, and only if, Vf^D g^ rejects 
the value tree of G{d,s,C)- 
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br -k br 



Figure 2: The tree generated by the recursion scheme of Example 

The recursion scheme G(^d,s,C) = S) is given by: 

= {a^ 1 \ a e A}U {ui \ q G Qc} U 0, i 1, k 1, br 2} 

Af = (the set of function symbols in D) 

U{If* iH- o o — > o} U {AcCa iH> (o — > o) — )• o — > o I a G A} 

□ {New'? ^ {{o ^ o) ^ o) ^ o \ q e Qc} 
7^ = {Fx ^ e \ Fx = e e D} 

U{If * X y ^hrxy, AcCq x k ^ x (ak), New"^ k ^ v'^{k i) {k k)} 

Here, A is the set of the names of access primitives that occur in D. 

The preceding encoding is slightly different from the one presented in |12j . The terminal 
symbol br represents a non-deterministic choice. In the rule for New'', a fresh resource is 
instantiated to either i or k of arity 1. This is a trick used to extract resource- wise access 
sequences, by tracking or ignoring the new resource in a non-deterministic manner. In the 
first-branch, the resource is instantiated to i, so that all the accesses to the resource are 
kept track of. In the second branch, the resource is instantiated to k, so that all the accesses 
to the resource should be ignored. The above transformation preserves types, except that 
unit and R are replaced by o and o — t- o respectively. 

Example 5.5. The program in Example 15.11 is transformed into the recursion scheme 
consisting of the following rules: 

S New^i (G ★) 

G k x If* (AcCc X k) (AcCr x {G k x)) 

If* X y hzxy 

AcCa X k — )• X (ak) 

New''! k 1/91(^1) (fck) 

Figure [2] shows the value tree of the recursion scheme. The root node represents creation 
of a new resource (whose initial state is qi). The nodes labeled by c or r express resource 
accesses. The left and right children are the same, except that each resource access is 
prefixed by i in the left child, while it is prefixed by k in the right child. 
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br 



br 



br 



br 



Figure 3: The tree generated by the recursion scheme of Example 15.6 



Example 5.6. Consider the fohowing program, which creates and accesses two resources: 

S = New^i F 

F x = New^i {G * x) 

G k X y = If* (AcCc x (AcCc y k)) (Acc^ x (Acc^ y {G k x y))) 

It is transformed into the recursion scheme consisting of the following rules: 

S New^i F 

F X ^ New^i (G * x) 

G k X y — > If* (AcCc x (AcCc y k)) (Acc^ x (Acc^ y {G k x y))) 

If* X y — 7> hrxy 

AcCq X k — > x{ak) 

New^i k v'i^{ki.) (/ck) 

Figure E] shows the value tree of the recursion scheme. Of the four subtrees whose roots are 
labeled by br, the leftmost subtree represents accesses to both resources x and y; in other 
words, all the accesses to x and y are prefixed by i. In the second subtree, only the accesses 
to x are prefixed by i. In the third subtree, only the accesses to y are prefixed by i, while 
in the rightmost subtree, no accesses are prefixed by i. 
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The disjunctive APT 'C(_d_s',c) = i'^iQi^iQii^)^ which accepts trees having a path 
corresponding to an invahd access sequence, is given by: 

<5c U {g I g G Qc} U {qi} 

' {l,qi)y {2,qi) ifa = br 
(l,g) V(2,(?7) ifa = u'> 
f if a = -k 

otherwise 
' (l,(?)V(2,g) 
(1,9) 



Q 



5{qi,a) 



6{q,a){wheie q £ Qc) 



(1,9) 
(2,9) 



br 
i 
k 



:i,9') 



if a 
if a 
if a 
if a = 1/9 

if a = ★ and q £ Fc 
if a = ★ and q ^ Fq 
if a G j4 and 5c{q-, a) = q' 
if a G j4 and 5c{q, a) is undefined 



t 

a)(where q G Qc) = {l,q) 
VL{q) = 1 for every q £ Q 

T, is the same as that of G[d,s,C)- 

The APT reads the root of a tree with state qj, and traverses a tree to find a path 
corresponding to an invahd resource access sequence. After reading v'^ in state qj, the 
APT either (i) chooses the left branch and changes its state to g, the initial state of the 
new resource, tracking accesses to the resource afterwards; or (ii) chooses the right branch, 
ignoring accesses to the new resource. In the mode to track resource accesses (i.e., in state 
q £ Q), the APT changes its state according to resource accesses, except: (i) upon reading 
k, it skips the next symbol, which represents an access to a resource not being tracked, (ii) 
upon reading v'', it only reads the right branch, ignoring the resource created by this ly'^ (as 
it is already keeping track of another resource), (iii) upon reading a £ A such that C{q,a) is 
undefined or reading when q ^ Fc, it terminates successfully (as an invalid access sequence 
has been found), and (iv) upon reading -k at state g' G -Fc, it aborts (as a path being read 
was actually a valid access sequence). The priority function maps every state to 1, so that 
no infinite run (that corresponds to an infinite execution sequence of the program without 
any invalid resource access) is considered an accepting run. 

From the construction above, we have: 

Theorem 5.7. {D,S,C) is resource-safe if, and only if the value tree of Q(^£) s,c) ^■^ ™t 
accepted by 2?(d,s,C) • 

The proof is similar to the corresponding theorem in |12j . hence omittedH 

Note that the order of G(d,s,C) ^1^^ same as that of D. Thus, as a corollary of the 

above theorem and Theorem 14.21 we obtain that the resource usage verification is (n — 1)- 

EXPTIME. 



As mentioned above, the encoding presented in this article is shghtly different from the one in [12], but 
the proofs are similar: they are tedious but rather straightforward. 
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6. Related Work 

Our analysis of the lower bound is based on Engelfriet's earlier work on the complexity of 
the iterated pushdown automata word acceptance and emptiness problems, and the results 
of Knapik et al. on the relationship between higher-order PDA and safe recursion schemes. 

The model checking of recursion schemes for the class of trivial APT has been studied 
by Aehlig [T] (under the name "trivial automata"). He gave a model checking algorithm, 
but did not discuss its complexity. For the same class, Kobayashi jl2j showed that the 
complexity is linear in the size of recursion schemes, if the types and automata are fixed. 
For the full modal //-calculus, Kobayashi and Ong [13] have shown that the complexity is 
n-EXPTIME in the largest arity of symbols in the recursion scheme, the number of states of 
the APT, and the largest priory, but polynomial in the number of the rules of the recursion 
scheme. 

Our encoding of the word acceptance problem of an order-n alternating PDA into the 
model checking problem of an order-n tree-generating PDA (the construction of A^^^u, in 
Section [3|) is similar to Cachat and Walukiewicz's encoding of the word acceptance problem 
into the reachability game on a higher-order pushdown system [3]. In fact, the tree generated 
by Adj^^u] seems to correspond to the unravelling of the game graph of the higher-order 
pushdown system (where the nodes labelled by E are Player's positions, and those labelled 
by A are Opponent's positions). Thus, n-EXPTIME-hardness of model checking for trivial 
APT (in the size of the recursion scheme) would follow also from n-EXPTIME hardness of 
the reachability game on higher-order pushdown systems [31 S] . 

7. Conclusion 

We have considered two subclasses of APT, and shown that the model checking of an order-n 
recursion scheme is n-EXPTIME complete for trivial APT, and (n — 1)-EXPTIME complete 
for disjunctive APT, both in the size of the recursion scheme and in the size of the APT. As 
an application, we showed that the resource usage verification problem is (n — 1)-EXPTIME 
complete. The lower bound for the finiteness problem (recall Section [4. Sp is left as an open 
problem. 
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Appendix A. Characterizing trivial APT and disjunctive APT as modal 

MU-CALCULUS FRAGMENTS 



From Logic to Automata. Consider the following set of modal mu-calculus formulas: 
4>,il) ::= t I f I P/ I Z I (/) A I (/> V -0 I {i)4> I ^Z.cf) \ fiZ.cf) 

This is a superset of the fragments S and V introduced in Sections [3] and U respectively. 

We can apply the translation of Kupferman et al. [2] to a modal mu-calculus formula to 
get an equivalent alternating parity tree automaton. We just need to modify the definition 
of (5 (dl page 339]) by: 

' ^ [ f otherwise 

It is easy to see that the translation maps a 5-formula to a trivial automaton, and a V- 
formula to a disjunctive automaton. 



From Automata to Logic. Our presentation here follows Walukiewicz [20]. Fix an APT A = 
( S, Q, 6, qi, Q) where Q = {qi, • • • , qn}. Suppose the ordering qi, - • • ,qn satisfies ri(gj) > 
for every i < j. Consider the following n-tuple of modal mu-calculus formulas — call 
it XA — simultaneously defined by least and greatest fixpoints: 





/ 


Zn ) 




f Znl \ 




0-1 






■■■■ - CTn 








I 


Zln J 




\ Znn ) 





where o"j := fx if is odd, and u otherwise. For each 1 < i < n 

X^ := \J{Pf/\^6iq„fy). 

We define '~6{qi, /)"' by: 

^{d,q,y := {d)Zu 
:= t 
:= f 

^(^1 A (^2^ := A^(/92^ 

Write TTi{xA) to be a modal mu-calculus formula (semantically) equivalent to XA P^'o- 
jected onto the i-th component (which is well-defined by an application of the Bekic Prin- 
ciple). 

Let A be an APT and t a S-labelled ranked tree. Walukiewicz [2D] has shown that t is 
accepted by A if, and only if, it satisfies Tri{xA) at the root. 

Proposition A.l. (i) If ^ is a trivial APT, then tti{xa) is a 5-formula. 
(ii) If v4 is a disjunctive APT, then tti{xa) is a P- formula. 

Proof, (i): If A has only one priority 0, then it follows from the definition that XA is 
constructed using only ;/-fixpoint operator, (ii) Since S{qi, f) is a disjunctive formula, it 
follows that every conjunction subformula of XA is of the form Pf A(j). □ 
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Appendix B. Alternative Proof of (n — 1)-EXPTIME Upper-Bound for 

Disjunctive APT 

We sketch an alternative proof of Lemma 14.21 using Ong's variable profiles |15j . 

In order to appreciate the proof sketched below, some knowledge of the workings of a 
traversal simulating APT is required. In particular it is necessary to know about variable 
profiles and how they are employed. 

Since B is disjunctive, it has an accepting run-tree on [G] just in case it has an accepting 
run-tree that does not branch (i.e. each node of the run-tree has at most one child). It 
follows that B has an accepting traversal tree if and only if it has an accepting traversal 
tree that does not branch. 

The key observation is that the traversal-simulating APT C thus need only 'guess' one 
exit point when it reaches a node labelled by a variable of order one, even if its type has 
arity greater than one. It follows that we can simplify the definition of variable profiles. 
A profile of a ground-type variable has the shape (x, q, m, 0) where g is a state and m a 
colour, which is the same as the general case. However a profile of a variable (p a first- 
order type p — ■ — )• q — )> o now has the shape {(p, q, m, c) where c is either empty or a 

k 

singleton set consisting of a profile of a ground-type variable, as opposed to a set of such 
profiles. The profiles of variables of order two or higher are defined as in the general case. 
Thus the number of variable profiles of a given order (at least one) is reduced by one level 
of exponentiation compared to the general case. Now viewing VP(yl) as denoting the set 
of variable profiles of type A (of order at least one) restricted to containing either empty or 
singleton interfaces: 

^ \VP{A)\ = 0{exp,.i{\GrG\ x \Q\ x p)) 

A order i type 

where Q is the state space of B, p is the number of priorities, and Grc is the (finite) graph 
that unravels to the computation tree A(G'). The number of nodes in the parity game 
induced by the traversal-simulating APT C and the computation tree X{G) will thus also 
have bound 0{expn-i{\GrG\ x \Q\ x p)) and using Jurdziiiski's algorithm we have it that 
the acceptance parity game can be solved in time 0(exp„__i(| Grd x \Q\ xp)). The problem 
thus lies in (n - 1)-EXPTIME. 
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